"Denied Access" with no rule (Full Version)

All Forums >> [ISA 2006 Firewall] >> Access Policies



Message


gsandorx -> "Denied Access" with no rule (27.May2009 5:33:23 PM)

hi guys, my ISA server 2006 is denying packets without matching any of my FW rules. I mean, when query the ISA  logging, it prints "Denied Access" as usual, but without specifying any matching rule. What's is the reason for that behavior?

Thanks and regards,
sandor




inderjeet -> RE: "Denied Access" with no rule (27.May2009 6:36:36 PM)

What packets are being denied?How is your web proxy configured?




gsandorx -> RE: "Denied Access" with no rule (28.May2009 8:21:12 AM)

well, actually i don't get your first question, but my ISA FW is denying connections that were previously established without specifying me the reason for that, i mean, which rule raised the violation.
My ISA server is only configured as a FW. I disabled the web proxy filter for HTTP. I'm using ISA in a 3-leg scheme.

Best regards,
sandor




inderjeet -> RE: "Denied Access" with no rule (28.May2009 9:30:32 AM)

Hard to say it just like that. Higly possible its not your ISA server denying those packets. It could be the server you are connecting is denying the packets. Network Trace on ISA could verify that. You need to check the RESET Flag. check which server is actually RESETing the Flag




Jason Jones -> RE: "Denied Access" with no rule (28.May2009 6:56:43 PM)

quote:

ORIGINAL: gsandorx

hi guys, my ISA server 2006 is denying packets without matching any of my FW rules. I mean, when query the ISA  logging, it prints "Denied Access" as usual, but without specifying any matching rule. What's is the reason for that behavior?

Thanks and regards,
sandor


What is shown in the Result Code column for these entries?

It is probably an FWX_E_TCP_NOT_SYN_PACKET_DROPPED error. These are common when previous sessions need to start a new TCP/IP three-way handshake. This error code normally indicates that ISA received TCP traffic (e.g. not a SYN packet) on a connection that wasn't opened, or that was already closed. So, if a connection is abortively closed (e.g. reset packet) and the client sendstraffic on that connection, ISA may complain that this data is being sent for a connection that doesn't exist; hence TCP_NOT_SYN.

http://msdn.microsoft.com/en-us/library/ms812624.aspx

Cheers

JJ




gsandorx -> RE: "Denied Access" with no rule (29.May2009 7:58:11 AM)

Thanks you all. That's probably the reason. I'll capture some packets at both sides of my ISA and tell you guys the results.

Cheers,
sandor




Jason Jones -> RE: "Denied Access" with no rule (29.May2009 9:09:31 AM)

Please do...[:)]

It is hard to know sometimes if these errors are "normal" or related to a specific issue like this:

http://support.microsoft.com/kb/888042/en-us

Cheers

JJ




pwindell -> RE: "Denied Access" with no rule (29.May2009 9:57:01 AM)

Guys,
When ISA denies traffic without any "Rule",...it is being denied based on System Policy.

The one thing that has never been revealed here is What Packets?  Doing what? For what?  From where? Going where?  There was one breif hint that it was HTTP but that was it...




Jason Jones -> RE: "Denied Access" with no rule (29.May2009 10:28:36 AM)

quote:

ORIGINAL: pwindell

Guys,
When ISA denies traffic without any "Rule",...it is being denied based on System Policy.


Not true.

One example is given above, others include Network Rules (FWX_E_NETWORK_RULES_DENIED) and things like Flood Mitigation (FWX_E_RULE_QUOTA_EXCEEDED_DROPPED).

IIRC, System Policy denies will show [System] <System Policy Rule Name> in the rules column.

Cheers

JJ




pwindell -> RE: "Denied Access" with no rule (29.May2009 10:40:07 AM)

Whatever.  I read it in something Jim wrote,...figured I could trust him.




Jason Jones -> RE: "Denied Access" with no rule (29.May2009 10:52:21 AM)

Open minded as ever Phil [;)]

Fire up logging on a busy ISA Server with a denied action filter enabled and have a look at the results. I'm sure Jim would tell you the same...

Cheers

JJ




Jim Harrison -> RE: "Denied Access" with no rule (29.May2009 11:54:24 AM)

quote:

ORIGINAL: pwindell

Guys,
When ISA denies traffic without any "Rule",...it is being denied based on System Policy.

The one thing that has never been revealed here is What Packets?  Doing what? For what?  From where? Going where?  There was one breif hint that it was HTTP but that was it...


Er.. no. System policies are also rules.

When ISA or TMG deny packets without quoting a rulke, it's one of two things:
1. Network rule decision
2. Packet filter action (non-syn, flood, etc.)




Page: [1]